Network security giant Fortinet has issued critical security updates to address an actively exploited FortiOS authentication bypass vulnerability. This severe flaw, identified as CVE-2026-24858, allows unauthorized access to devices, leading to potential data breaches and system compromise. The company is urging users to patch their systems immediately to prevent further exploitation.
The vulnerability specifically targets FortiOS, FortiManager, and FortiAnalyzer, with a CVSS score of 9.4 indicating its critical nature. It permits attackers with a FortiCloud account to log into other registered devices if FortiCloud single sign-on (SSO) authentication is enabled, bypassing standard login procedures. Fortinet is actively investigating its impact on other product lines, including FortiWeb and FortiSwitch Manager.
FortiOS Authentication Bypass Exploited in the Wild
According to Fortinet’s advisory, the vulnerability, categorized as an Authentication Bypass Using an Alternate Path or Channel (CWE-288), allows an attacker possessing a FortiCloud account and a registered device to gain access to other devices registered under different accounts. This access is contingent upon FortiCloud SSO authentication being active on the targeted devices.
Fortinet clarified that the FortiCloud SSO login feature is not enabled by default. It is typically activated when an administrator registers a device to FortiCare via the device’s graphical user interface, unless specific steps are taken to disable the “Allow administrative login using FortiCloud SSO” option. This detail is crucial for understanding the scope of potential exposure.
The company confirmed that unidentified threat actors have been leveraging a “new attack path” to achieve SSO logins without any authentication. This malicious access has been used to establish local administrator accounts for persistent access, alter configurations to grant VPN access to these accounts, and exfiltrate sensitive firewall configurations – a significant security risk for organizations relying on Fortinet products.
Fortinet’s Response and Remediation Steps
In response to the escalating threat, Fortinet has implemented a series of protective measures over the past week. On January 22, 2026, the company successfully locked out two malicious FortiCloud accounts, [email protected] and [email protected]. Subsequently, on January 26, 2026, Fortinet disabled FortiCloud SSO on its side. The feature was re-enabled on January 27, 2026, but with a critical restriction: it now prevents logins from devices running vulnerable software versions.
For the FortiCloud SSO authentication to function correctly, customers are now required to upgrade to the latest software versions. Fortinet strongly advises users who detect any signs of compromise to treat their devices as breached. The company recommends a comprehensive remediation strategy, starting with ensuring the device is running the latest firmware.
Additionally, organizations are urged to restore their configurations using a known clean version, or conduct a thorough audit for any unauthorized changes. A critical step in the recovery process involves rotating all credentials, including any linked LDAP/AD accounts connected to the FortiGate devices, to prevent further unauthorized access.
Government Agencies Mandate Action on FortiOS Vulnerability
The severity of this network security issue has prompted significant action from government cybersecurity bodies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) catalog. This addition mandates that Federal Civilian Executive Branch (FCEB) agencies must address and remediate the identified security flaws by January 30, 2026.
This mandate highlights the critical nature of the zero-day vulnerability and the potential risks it poses to national infrastructure. The inclusion in CISA’s KEV catalog signals that credible threat actors are actively exploiting this flaw, making prompt patching an urgent priority for all affected federal agencies and, by extension, for any organization utilizing the vulnerable Fortinet products.
Looking ahead, the primary next step for all Fortinet users is to apply the provided security updates. The deadline set by CISA for federal agencies underscores the urgency. However, uncertainties remain regarding the full extent of exploitation prior to Fortinet’s patches and the potential discovery of related vulnerabilities in other Fortinet products. Organizations must remain vigilant and continue to monitor for further advisories from both Fortinet and CISA.